Pathing status

Cloudflare issues the following Edge Pathing Statuses:

  • EdgePathingSrc: The stage that made the routing decision
  • EdgePathingOp: The specific action or operation taken
  • EdgePathingStatus: Additional information complementing the EdgePathingOp

The information stored is broken down based on the following categories (click for details below):


Errors

These occur for requests that didn't pass any of the sanity checks performed by the Cloudflare network. Example cases include:

  • Whenever Cloudflare is unable to look up a domain or zone
  • An attempt to improperly use the IP for an origin server
  • Domain ownership is unclear (for example, the domain is not in Cloudflare)
EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code
cyclicCloudflare looperr_host 403
dns_errUnable to resolveerr_host 409
reserved_ipDNS points to local or disallowed IPerr_host 403
reserved_ip6DNS points to local or disallowed IPv6 addresserr_host 403
bad_hostBad or no Host headererr_host 403
no_existing_hostOwnership lookup failed: host possibly not on Cloudflareerr_host 409

User-based actions

These occur for actions triggered from users based on the configuration for a specific IP (or IP range).

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code
Asnum
ip
ipr24
ipr16
ip6
ip6r64
ip6r48
ip6r32
ctry
  • Ban the request
banuser403
Asnum
ip
ipr24
ipr16
ip6
ip6r64
ip6r48
ip6r32
ctry
  • Whitelist the request
  • WAF will not execute
wluser

To understand the behavior of challenge pages, see Javascript and Captcha Challenge.


Firewall Rules

The Cloudflare Firewall Rules app triggers actions based on matching customer-defined rules.

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code 
filter_based_firewallrequest has been blockedban  
filter_based_firewallrequest has been allowedwl  

To understand the behavior of challenge pages, see Javascript and Captcha Challenge.


Zone Lockdown

Zone Lockdown blocks visitors to particular URIs where the visitor's IP is not allowlisted.

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code 
zlLock down appliedban user 

To understand the behavior of challenge pages, see Javascript and Captcha Challenge.


Firewall User-Agent Block

Challenge (Captcha or JavaScript) or block visitors who use a browser for which the User-Agent name matches a specific string

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code 
uaBlocked User-Agentban user 

To understand the behavior of challenge pages, see Javascript and Captcha Challenge.


Browser Integrity Check

Assert whether the source of the request is illegitimate or the request itself is malicious

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code 
emptyBlocked requestban bic 

To understand the behavior of challenge pages, see Javascript and Captcha Challenge.


Hot Linking

Prevent hot linking from other sites

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code 
emptyBlocked requestban hot 

To understand the behavior of challenge pages, see Javascript and Captcha Challenge.


L7-to-L7 DDoS mitigation

Drop DDoS attacks through L7 mitigation

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code 
l7ddosBlocked requestban protect 

To understand the behavior of challenge pages, see Javascript and Captcha Challenge.


IP Reputation (MACRO)

The macro stage is comprised of many different paths. They are categorized by the reputation of the visitor IP.

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code
nrThere is no reputation data for the IP and no action is being taken (if IUAM is on, a JS challenge is served)wlmacro 
wlIP is explicitly allowlistedwlmacro 
scanIP is explicitly allowlisted and categorized as a security scannerwlmacro 
monIP is explicitly allowlisted and categorized as a Monitoring Servicewlmacro 
bakIP is explicitly allowlisted and categorized as a Backup Servicewlmacro 
mobIP is explicitly allowlisted and categorized as Mobile Proxy Servicewlmacro 
seIP is explicitly allowlisted as it belongs to a search engine crawler and no action is takenwlmacro 
greyIP is greylisted (suspected to be bad) but the request was either for a favicon or security is turned off and as such, it is allowlisted.wlmacro 
bad_okThe reputation score of the IP is bad (or is a TOR IP) but the request was either for a favicon or security is turned off and as such, it is allowlisted. Alternatively, the threat score of the IP is in the accepted security level.wlmacro 
unknownThe pathing_status is unknown and the request is being processed as normal.wlmacro 

All other paths in the MACRO stage issue a challenge. Possible scenarios include:

  • A clean IP (acceptable threat level) with IUAM on will trigger the JS challenge
  • A greylisted IP triggers the JS challenge (captcha challenge if IUAM is on)
  • An IP with a bad reputation (also TOR) with a threat level above the accepted threshold triggers a captcha challenge (JS challenge if IUAM is on)

Rate Limiting

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code
rate_limitDropped requestban user 
rate_limitIP is explicitly allowlistedsimulate user 

To understand the behavior of challenge pages, see Javascript and Captcha Challenge.


Special cases

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code
ao_crawlAO (Always Online) crawler requestwl skip 
cdnjsRequest to a cdnjs resourcewl skip 
 certain challenge forced by Cloudflare's special headers forced 

Javascript and Captcha Challenge

EdgePathingStatusDescriptionEdgePathingOpEdgePathingSrcStatus Code
  • captchaNew
  • jschlNew
A Captcha/JavaScript challenge was presentedchl 
  • 403
  • 503
  • captchaOk
  • jschlOk
A Captcha/JavaScript challenge would have been presented but a clearance cookie was presenttemp_ok 
  • As per request
  • captchaSucc
  • jschlSucc
A Captcha challenge was solved correctly and a clearance cookie will be issuedtemp_okmacro
  • 302 (Redirect to original URL)
  • captchaFail
  • jschlFail

 

A failed attempt at solving the Captcha challenge, no clearance cookie will be issued

chl

macro
  • 302 (Redirect to original URL)
  • captchaErr
  • jschlErr
A failed attempt at solving the Captcha challenge, no clearance cookie will be issued. Not enough data was provided to solve the challenge. The difference to the previous case is that not all input was provided which is needed to verify the solution

chl

macro
  • 302 (Redirect to original URL)


  • tokRedempSucc
A blinded-token redemption was successful

chl

 
  • As per request
  • tokRedempFail
A blinded-token redemption failedchl 
  • As per request